According to Vijayarani et. al (2015) stated that the IDS meant to be a software application which monitors the network or system activities and finds if any malicious operations occur. IDS are implemented in the network to detect the presence of intruders especially those that manage or trying to bypass the security defense layer such as a firewall, anti-virus, and access control so that preventive measures can be taken. Based on Hamdan et. al (2010), IDS attempt to detect computer attacks by inspecting data records observed by processes on the same network. Generally, these attacks are divided into two categories, host-based attacks and network-based attacks. Host based attack detection routines normally use system call data from an audit process that tracks all system calls made on behalf of each user on a particular machine. Network-based attack detection routines usually use network traffic data from a network packet sniffer.
Table 2.2 Comparison of HIDS and NIDS performance (Xavier, 2016)
Performance in terms of : Host-Based IDS
(HIDS) Network-Based IDS
Intruder deterrence Strong deterrence for inside intruders Strong deterrence for outside intruders
Threat response time Weak real time response but performs better for a long-term attack Strong response time against outside intruders
Assessing damage Excellent in determining extent of damage Very weak in determining extent of damage
Intruder prevention Good at preventing inside intruders Good at preventing outside intruders
Threat anticipation Good at trending and detecting suspicious behavior patterns Good at trending and detecting suspicious behavior patterns
i) IDS Approach
IDS appliances can be used for auditing purposes. In other words, they just detect if particular software or protocol is in use on the observed network. There are three commonly used detection mechanisms available:
Anomaly-based is a detection method commonly used for protocols because all the valid forms of a protocol are known and clearly defined in RFCs. Deviations from those forms are then identified as anomalies. A drawback of this method is obvious just because the traffic follows defined standards, the content cannot be considered as not malicious.
Behavior-based is a mechanism which watches the ongoing network activity and looks for suspicious events. In other words, behavior-based detection is base lined on everyday activity and looks for anything that deviates. This technology allows detecting any difference, including unknown issues such as zero-day attacks.
This detection mechanism compares event patterns against known attack patterns, signatures, stored in the appliance database. Consequently, its detection capability is limited only to known signatures and malicious activity. The similarity to antivirus software solutions comes to mind. Besides, the regular updates are crucial.
ii) Analysis Approach
Based on Ayman et. al (2017) classify malware analysis methods by the mode of analysis whether it is static, dynamic or a mix from both (hybrid). The difference between static and dynamic analysis is shown in table below.
Static analysis is analyzing the software without executing it, it looks at the file itself and tries to extract information about the structure and the data in the file such that the time the program is compiled, which compiler is used, information about structure and data in the file can be determined. While, the dynamic analysis is testing the program by executing it at real time and trying to find errors in the program while running, there are many ways to dynamically analyze a suspicious software as described in the following sections.
Static analysis can be done either on the source code or the binary executable. The issue is that when the code is compiled from source code to binary code some information will be lost and the analysis of the code will be very complicated. While the good point here is that static analysis can identify specific coding errors that can lead to problems at run-time like crashes or memory-leaks. Static analysis can be classified into either basic or advanced static analysis.
Table 2.3 Comparison between Static Analysis and Dynamic Analysis Methods (Ayman, 2017)
Factors Static Analysis Dynamic Analysis
Time Less time if automated but more time if conducted manually More time is needed
Input Source code, Byte code of interpreted
language or binary code of a compiled application Memory snapshots and run-time data
consumption More cost efficient Needs more resources in memory and processing
Accuracy Less than dynamic analysis Better because it detects run-time vulnerability
Advantages • Faster and code weaknesses are found earlier in the development life cycle
• More cost efficient than dynamic analysis
• Static analysis analyzes the source code so it checks all possible malware executions • Find vulnerabilities at runtime
• More flexible
• More accurate
• More attractive than static analysis because it is concerned with actual code execution
Limitations • Cannot find vulnerabilities at run-time
• Hard to perform Analyzes only a single malware at a time
(d) Introduction to Machine Learning
Machine learning (ML) was introduced in the late 1950’s as a technique for artificial intelligence (AI) by Yue, 2015. ML is the use of algorithms within a program to learn from collected data. Within ML there are various algorithms that exist to learn from data. ML algorithms include clustering, classification, pattern recognition, correlation and statistical techniques.
i) Machine learning (ML) Algorithms
According to Liang et. al 2018, Machine learning techniques including supervised learning, unsupervised learning, and reinforcement learning have been widely applied to improve network security, such as authentication, access control, anti-jamming offloading and malware detections.
Firstly, supervised learning consists of support vector machine (SVM), naive Bayes, K- nearest neighbor (K-NN), neural network, deep neural network (DNN) and random forest. IoT devices can use SVM to detect network intrusion and spoofing attacks, apply K-NN in the network intrusion and malware detections and utilize neural network to detect network intrusion and DoS attacks. Naive Bayes can be applied in the intrusion detection and random forest classifier can be used to detect malwares. IoT devices with sufficient computation and memory resources can utilize DNN to detect spoofing attacks.
Secondly, unsupervised learning does not require labeled data in the supervised learning and investigates the similarity between the unlabeled data to cluster them into different groups. Lastly, reinforcement learning techniques such as Q-learning, Dyna-Q, post-decision state (PDS) and deep Q-network (DQN) enable an IoT device to choose the security protocols as well as the key parameters against various attacks via trial-and-error.
ii) Machine learning (ML) Techniques
According to Koroniotis et.al, 2017, there are four types of machine learning techniques for IoT botnets detection. The ML consists of Association Rule Mining, Decision Tree, Artificial Neural Network and Naive Bayes. A brief description of the machine learning is provided first, then this project also provides an analysis of results obtained based on the accuracy and false alarm rate.
Association Rule Mining (ARM) and Decision Tree (DT) are the classification algorithm. The Association Rule Mining is performed by generating rules of a form while Decision Tree produces a tree-like structure to determine the class chosen for a record. In addition, the Artificial Neural Network also known as ANN is a classification model which was based on the idea of the human neurons while Naive Bayes classifies a record into a specific class.
By combining the four condition such as True Positive (TP), True Negative (TN), False Positive (FP), False Negative (FN) values to create two metrics, namely Accuracy and False Alarm Rate (FAR) which can use to evaluate the techniques. These two metrics are calculated as follows:
• Accuracy represents the probability that a record is correctly identified, either as attack, or as normal traffic. The calculation of Accuracy (Overall Success Rate) is OSR= (TN+TP)/(TP+FP+TN+FN)
• False Alarm Rate (FAR) represents the probability that a record gets incorrectly classified. The calculation of the False Alarm Rate is FAR = FP+FN/(FP+FN+TP+TN)
According to (Koroniotis, 2017), show that DT techniques was the best at distinguishing between Botnet and normal network traffic. This algorithm makes use of Information Gain, to pick the feature which best splits the data based on the classification feature, during construction of the tree and at every node. The figure below showed that DT had the highest accuracy out of all the algorithms that were tested at 93.23%, and the lowest FAR at 6.77%. ARM was the second-best classifier, having an accuracy of close to 86% and FAR just over twice that of the DT. The Naïve Bayes classifier, which relies on probability to classify records in classes was third, with 20% less accuracy and close to 21% more false alarms than the DT. Finally, the Artificial Neural Network was the least accurate out of the four algorithms that we tested, with accuracy and false alarm rate for this classifier showing a 30% differentiation from the C4,5 algorithm.
Figure 2.13 Accuracy vs FAR of ML Techniques (Koroniotis, 2017)